Core Compliance Blog

cybersecurity

Cybersecurity is becoming a greater priority each year for investment firms. Not only is the risk of attack increasing from a growing number sources, but the level of potential damage to individual firms and the overall market also increases with each passing year.

As a reflection of the ever-growing cyber threats to market stability and investor security, regulatory bodies are making cybersecurity risk and prevention a focus of their oversight activities.

Since 2015, the SEC Office of Compliance, Inspections and Examinations (OCIE) has clearly and repeatedly stated its intentions to focus heavily on working with firms to identify and manage cybersecurity risks through compliance with cybersecurity standards.

However, interagency cooperation and activity indicates that not all firms are taking measures to ensure that proper cybersecurity policies and risk-management procedures necessary to protect market integrity are in place.

Cybersecurity Risks and Interagency Cooperation

As cases of non-compliance are identified, either the OCIE or the SEC Enforcement Division are stepping in to take action in one of the following forms:

Enforcement inquiry by the SEC Enforcement Division

OCIE examination proceedings to determine areas for improvement, with results communicated through the deficiency letter process

Clearly, protection of the market and of investors has become an industry-wide priority, and compliance with bolstered cybersecurity requirements to reduce risks is expected by the associated regulatory agencies.

Informed Employees — The Cybersecurity Front Line

Informed employees act as the critical first line of defense against cybersecurity threats, and a vigorous training program is key to bolstering both protection and compliance.

Successful cybersecurity training programs include, at the minimum, the following components:

How to identify cybersecurity risks, including social engineering, phishing, viruses, hacking, and malware

Understanding cybersecurity policies and user responsibilities related to an employee’s specific job role

Implementing sound protection habits, such as encryption protocols, strong password policies, data backups, and the use of anti-virus/anti-malware software

Outlining and reviewing the firm’s incident response procedures with all employees

Up-to-date training focused on these fundamental elements of cybersecurity risk prevention increases employees’ knowledge and abilities to effectively fill their role as cybersecurity gatekeepers.

Bolstering Cybersecurity to Meet SEC Standards — We Can Help

In its 2018 National Examination Program Priorities memo, OCIE released the following statement on cybersecurity issues:

“We will continue to prioritize cybersecurity in each of our examination programs. Our examinations have and will continue to focus on, among other things, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.”

This statement clearly indicates the need for firms to allot the necessary resources that will ensure their cybersecurity policies and procedures are robust enough to meet regulatory standards and reduce the threat of cyberattack and its associated damages.

Employee education that bolsters your firm’s cybersecurity capabilities is the logical first step in reducing risk and compliance with the SEC’s ever-increasing requirements.